the present work was submitted to the lufg theory of

The present work was submitted to the LuFG Theory of Hybrid Systems

MASTER OF SCIENCE THESIS

APPROXIMATE MODEL CHECKING FOR

PROBABILISTIC RECTANGULAR AUTOMATA WITH

CONTINUOUS-TIME PROBABILITY DISTRIBUTIONS

ON JUMPS

Mengzhe Hua

Examiners:Prof. Dr. Erika ÁbrahámProf. Dr. Thomas Noll

Additional Advisor:Stefan Schupp Aachen, May 05. 2021

Abstract

A system consists of both discrete and continuous components is hybrid sys-tem. Most systems in our daily life are hybrid systems. A model to present thehybrid system is hybrid automata. We model the systems into hybrid automatato do mathematical analysis. Rectangular automata is an important subclassof hybrid automata by adding restrictions to labeling functions, and this thesisfocus on rectangular automata. In oder to avoid nondeterministic behaviors, weintroduce probabilistic rectangular automata with continuous-time probabilitydistributions.

A popular approach to verify certain properties is to do reachability analysis.We introduce forward and backward analysis to get the reachability of requeststates. For each reachable state we can calculate the probability to reach it fromthe initial states according to corresponding probability distributions.

Contents

1 Introduction 91.1 Structure of the Thesis . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

2 Preliminaries 132.1 Hybrid Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132.2 Rectangular Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . 162.3 Reachability Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

3 Stochastic Rectangular Automata 233.1 Discrete-Time Probabilistic Rectangular Automata . . . . . . . . . . . 233.2 Stochastic Rectangular Automata . . . . . . . . . . . . . . . . . . . . . 24

4 Reachability Analysis 294.1 Probability over Finite Path . . . . . . . . . . . . . . . . . . . . . . . . 294.2 Forward Analysis for Probabilistic Rectangular Automata . . . . . . . 334.3 Backward Analysis and Probability Calculation for Probabilistic Rect-

angular Automata . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354.4 Direct Backward Analysis for Probabilistic Rectangular Automata . . 36

5 Results 415.1 Simple Test Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . 415.2 A Two Room Shared Heater Example . . . . . . . . . . . . . . . . . . 44

6 Conclusion 476.1 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476.2 Future work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Bibliography 49

vi Contents

Chapter 1

Introduction

Systems with discrete state changing are called discrete system [HMU01] and systems,whose state variables change over time continuously, are called continuous systems. Asystem that consists of both discrete and continuous components is a hybrid system.Most systems in our daily life are hybrid systems, like computers, mobile-phones, air-planes and so on. Figure 1.1(a) shows how variable x changes over time in a discretesystem, and Figure 1.1(b) shows how variable x changes over time in a continuoussystem. If we combine the two systems, we will get a hybrid system and the evolutionof variable x shown in Figure 1.1(c). In oder to analyze the hybrid systems mathemat-ically, hybrid automata is introduced to model those systems. An important subclassof hybrid automata is rectangular automata, for which the model-checking problemis decidable [HM00]. Examples such as Billiard Balls [PDMV15], which models themotion of a billiard ball and its collisions with the wall, is a rectangular automaton.

Billiard balls system is a rectangular automaton without nondeterminism. How-ever many systems contain nondeterministic behaviors, such as IEEE 802.11 WLANprotocol [KNS02] which describes a two-way handshake mechanism to achieve commu-nication between two devices, in the meanwhile introduce a randomized exponentialback-off rule to handle with possible transmission conclusions. In oder to deal withthe nondeterminism caused by the randomized behavior, we consider to model thesystem as a probabilistic automaton.

One of the most popular modeling language to deal with probability is Continuous-Time Markov Chain (CTMC for short). A CTMC is a stochastic process, in which theprobability of moving from one state to another state is dependent on a transition ratematrix. However, a huge amount of probabilistic systems may allow different typesof probability distributions, such as discrete probability distribution. In this casewe consider to analyze models containing both continuous and discrete probabilitydistributions.

Stochastic Petri Nets (SPN for short) is one of the approaches which consist notonly stochastic process. In a SPN model, the probability of taking a transition isassociated with the probability distribution over delays on the state, i.e. the proba-bility of taking a transition is related to the time spent on the source state [BK02].Another approach is Stochastic Timed Automata (STA for short). In a STA model,the probability of taking a transition is independent on the delays, which means thatthe combined continuous and discrete probability distribution is associated to transi-tions [BBB+14].

10 Chapter 1. Introduction

x

t2 6

1

(a) Discrete system

x

t2 6

2

6

(b) Continuous system

x

t2 6 8

1

2

4

3

(c) Hybrid system

Figure 1.1: Variable changing over time in three types systems

Since timed automata is a subclass of rectangular automata [Kop96], we extend thestochastic timed automata to stochastic rectangular automata and apply reachabilityanalysis on stochastic rectangular automata.

1.1 Structure of the Thesis

In oder to introduce stochastic rectangular automata properly, we introduce necessarypreliminaries in Chapter 2. Firstly we give the formal definition of hybrid automata,which builds hybrid systems mathematically. By giving rectangular region restrictionswe introduce a subclass of hybrid automata, rectangular automata. In oder to checksome essential properties, we introduce reachability analysis consisting of forward andbackward methods.

After we get a clear view of rectangular automata, we define stochastic rectangularautomata in Chapter 3. Discrete-time probabilistic rectangular automata model thesystems which only associate discrete probability distribution over transitions. Aftergiven the definition of probability distributions over delays and transition, we extendit to the definition of stochastic rectangular automata.

The implementation is introduced in Chapter 4. The most critical part is theinterval calculation, because the probability to take a transition out-going of thestate and calculation of enabled transitions are dependent on the interval in which a

1.1. Structure of the Thesis 11

given transition may be taken from the state. Finally we introduce the brief idea ofhow to achieve reachability analysis by forward and backward method in stochasticrectangular automata.

At the end we present the experimental results in Chapter 5, starting with intro-duction of the tool HyPro. The discussion of our future work is in Chapter 6.

12 Chapter 1. Introduction

Chapter 2

Preliminaries

Rectangular automata is a subclass of hybrid automata [HKPV98]. We present hybridautomata first and then introduce rectangular automata based on the definition ofhybrid automata.

2.1 Hybrid AutomataHybrid systems are systems which combine the continuous activities and discretetransitions together [Bra05]. A bouncing ball system [JELS99] is a typical hybridsystem. An elastic ball is dropped from a certain height h0 and bounces with energyloss after reaching the ground. The height and the velocity of the ball change con-tinuously between each bounce, and the velocity of the ball changes discretely whenbouncing. In oder to model hybrid systems we introduce hybrid automata which aregraph specifications of hybrid systems. Hybrid automata specify discrete transitionsby edges and continuous activities by vertices.

Definition 2.1.1 (Syntax of Hybrid Automata [ACH+95]). A hybrid automaton(HA) H is a tuple H = (Loc,Var,Lab,Edge,Act, Inv, Init) with

• Loc is a finite set of locations.

• Var is a finite set of real-valued variables. A valuation ν for the variables is afunction ν : Var → R assigning a real value to each variable x ∈ V ar. We useV to denote the set of valuations.

A state is a pair s = (l,ν) where l ∈ Loc and ν ∈ V . We use Σ to denote the setof states.

• Lab is a finite set of synchronization labels, including the stutter label τ ∈ Lab.

• Edge is a finite set of transitions. Each transition e = (l, a, µ, l′) consists ofa source location l ∈ Loc, a target location l′ ∈ Loc, a synchronization labela ∈ Lab, and a transition relation µ ⊆ V 2. If (ν,ν′) ∈ µ we call ν the predecessorand ν′ the successor. For all transitions with label τ we call τ -transitions.

• Act is a labeling function that assigns to each location l ∈ Loc a set of activities.Each activity is a continuous function f : R→ V that assigns nonnegative realsto a valuation in V. The activities of each location are time-invariant: for all

14 Chapter 2. Preliminaries

locations l ∈ Loc, all activities f ∈ Act(l), and nonnegative reals t ∈ R≥0,(f + t) ∈ Act(l) holds where (f + t)(t′) = f(t+ t′) for all t′ ∈ R≥0.

• Inv is a labeling function, assigning an invariant Inv(l) ⊆ V to each locationl ∈ Loc.

• Init is a set of initial states with Init ⊆ Σ.

Intuitively, variable x ∈ Var represents a continuous activity of the hybrid systemand f ∈ Act(l) with l ∈ Loc shows how x changes according to time in state (l,ν)where ν ∈ V . A transition e = (l, a, µ, l′) ∈ Edge represents a discrete transition ofthe hybrid system. In the rest of this thesis we use → to denote both continuousactivities and discrete transitions.

Definition 2.1.2 (Semantics of Hybrid Automata [ACH+95]). As hybrid systemscontain discrete transitions and continuous activities, the semantics of a hybrid au-tomaton H = (Loc,Var,Lab,Edge,Act, Inv, Init) consist of two parts that are discreteinstantaneous steps (also called jump) and continuous time steps (also called flow):

1. Discrete step semantics

(l, a, µ, l′) ∈ Edge (ν, ν′) ∈ µ ν′ ∈ Inv(l′)

(l, ν)a−→ (l′,ν′)

Rulediscrete

for state s = (l, ν) ∈ Σ and for each discrete transition e = (l, a, µ, l′) ∈ Edgewith source location l we say that e is enabled if and only if some (ν,ν′) ∈ µ issatisfied and synchronization label a occurs.

2. Time step semantics

f ∈ Act(l) f(0) = ν f(t) = ν′ t ≥ 0 f([0,t]) ⊆ Inv(l)

(l,ν)t−→ (l,ν′)

Ruletime

for state s = (l, ν) ∈ Σ and for each continuous activity f ∈ Act(l) we say thatthe system stay at location l for t time step and the valuation changes to f(t)only if no valuation in [0,t] violates the invariant of the location l.

For a jump e = (l, a, µ, l′) ∈ Edge with (ν,ν′) ∈ µ we say that the predecessor νsatisfies the guard g of e and the successor ν′ equals to the reset r of e. In the rest ofthis chapter we denote µ = (g,r) for jumps.

Example 2.1.1. Figure 2.1 shows a simple hybrid automaton H1 = (Loc1,Var1,Lab1,Edge1,Act1, Inv1, Init1) with

• Loc1 = {l0,l1},

• Var1 = {x,y},

• Lab1 = {τ,a},

• Edge1 = {e0,e1,e2,e3,e4} where

– e0 = (l0, τ, (ν,ν), l0) with ν ∈ Vl0 ,

– e1 = (l1, τ, (ν′,ν′), l1) with ν′ ∈ Vl1 ,

2.1. Hybrid Automata 15

– e2 = (l0, a, ({y ≥ 5},{x := 0,y := 10}), l1),

– e3 = (l0, a, ({y ≥ 5},{x := 0,y := 0}), l0),

– e4 = (l1, a, ({y ≤ 5},{x := 0,y := 0}), l0),

e0 and e1 are τ -transitions, e2, e3 and e4 are jumps,

• activity functions are represented by differential equations: Act1(l0) = {x =1,y = x} and Act1(l1) = {x = −1,y = x},

• Inv1(l0) = {y ≤ 10} and Inv1(l1) = {true},

• Init1 = (l0,{x = 0,y = 0}).

l0x = 1y = xy ≤ 10

l1x = −1y = xtrue

x := 0, y := 0

e2a : y ≥ 5

x := 0,y := 10

e3

a : y ≥ 5

x := 0, y := 0

e0

τ

e4a : y ≤ 5

x := 0,y := 0

e1

τ

Figure 2.1: A simple hybrid automaton H1

We introduce flows and jumps in detail separately. Firstly, we take flows in locationl0 as an example: if invariant Inv1(l0) = {y ≤ 10} is satisfied for each time pointin [0,t], then the system may stay in location l0 for t time step. Next, we take e2

as an example of jumps: If synchronization label a occurs and guard g = {y ≥ 5} issatisfied at location l0, then e2 is enabled; If e2 is taken, then the system will set thevariables to the values given in effect r = {x := 0,y := 10}, i.e. x will be set to 0and y will be set to 10, finally the system will reach location l1 from l0. However, wenotice that e2 and e3 have the same source location l0, and they could be enabled atsame time points, we say that the hybrid automaton H1 is non-deterministic, whichmeans that after e2 and e3 enabled the system choose one of enabled edges to takenon-deterministically.

To simplify the graphical representations, in the rest of this thesis we omit τ -transition, non-synchronization labels and trivial invariant in graphical representa-tions.

A finite run [AD94] % of hybrid automata H = (Loc,Var,Lab,Edge,Act, Inv, Init)with state set Σ is a sequence of transitions

% = s0t1,e1−−−→ s1

t2,e2−−−→ . . .tn,en−−−→ sn


where n ∈ N, (si) = (li,νi) ∈ Σ with 0 ≤ i ≤ n, (ti)1≤i≤n ∈ R≥0, t0 = 0 andei = (li−1,ai,(gi,ri),li) ∈ Edge with 1 ≤ i ≤ n, ai ∈ Lab, gi ∈ Rn and ri ∈ Rn. Eachtransition si−1

ti,ei−−−→ si with 1 ≤ i ≤ n satisfies the following requirements:

• νi−1 + fi−1(t) |= gi,

• νi−1 + fi−1([0,t]) ⊆ Inv(i− 1),

• νi = ri,

where t = ti − ti−1 and fi ∈ Act(li). We say that n is the length of the run %. Weuse Runf (H,s0) to denote the set of all finite runs from s0 in H. Similarly an infiniterun [AD94] % of H is an infinite sequence of transitions.

% = s0t1,e1−−−→ s1

t2,e2−−−→ s2t3,e3−−−→ . . .

with (si)i∈N ∈ Σ, (ti)i∈N+ ∈ R≥0 and (ei)i∈N+ ∈ Edge, satisfying the above require-ments. We use Run(H,s0) to denote the set of all infinite runs from s0.

2.2 Rectangular Automata

Rectangular automata is one of the particularly important subclasses of hybrid au-tomata. Rectangular automata inherit all components of hybrid automata and restricttheir initializations, invariants, activities, and transition relations by rectangular re-gions.

Definition 2.2.1 (Rectangular Region). Given a region R ⊆ Rn with n > 0, R iscalled rectangular if it is a cartesian product of (possibly unbounded) intervals, all ofwhose finite endpoints are rational:

R = I0 × I1 × . . .× In−1

= {(x0,x1, . . . ,xn−1) ∈ Rn | ∀0 ≤ i ≤ n− 1. xi ∈ Ii}.

We use Rn to denote the set of all rectangular regions in Rn.

Definition 2.2.2 (Syntax of Rectangular Automata [HKPV98]). An n-dimensionalrectangular automaton (shortly rectangular automaton or RA) is a hybrid automatonH = (Loc,Var,Lab,Edge,Act, Inv, Init) with restricted labeling function:

• Edge is a finite set of transitions. Each transition e = (l, a, µ, jump, l′) consistsof a source location l ∈ Loc, a target location l′ ∈ Loc, a synchronization labela ∈ Lab, and a transition relation (µ, jump) ⊆ (Rn × Rn) × 2{1,...,n} withµ = (g,r). For each i ∈ jump the value of variable xi ∈ Var will be changed toa value v ∈ ri non-deterministically and for each i /∈ jump the value of variablexi ∈ Var does not change.

• Act : Loc→ Rn.

• Inv : Loc→ Rn.

• Init : Loc→ Rn.

2.2. Rectangular Automata 17

Definition 2.2.3 (Semantics of Rectangular Automata [HKPV98]). The semanticsof a rectangular automaton H = (Loc,Var,Lab,Edge,Act, Inv, Init) also consist oftwo parts that are discrete instantaneous steps (also called jump) and continuous timesteps (also called flow):


(l, a, (g, r), jump, l′) ∈ Edgeν ∈ g ν′ ∈ r ∀i /∈ jump.ν′i = νi ν′ ∈ Inv(l′)

(l, ν)a−→ (l′,ν′)

Rulediscrete

for state s = (l, ν) ∈ Σ and for each discrete transition e = (l, a, (g, r), jump, l′) ∈Edge of location l we say that e is enabled if and only if the valuation ν satisfiesthe guard g and synchronization label a occurs, the system may take the transi-tion e and in the meanwhile update the value of variables in jump to r only ifupdated valuation ν′ does not violate the invariant of target location.

2. Time step semantics

(t = 0 ∧ ν = ν′) ∨ (t > 0 ∧ (ν′ − ν)/t ∈ Act(l)) ν′ ∈ Inv(l)

(l,ν)t−→ (l,ν′)

Ruletime

for state s = (l, ν) ∈ Σ the system may stay at location for t time step andupdate valuation to ν′ only if either t is zero and valuation does not change orthe ratio of difference between ν′ and ν to t meets the continuous activities of land ν′ does not violate the invariant of l.

We say that the rectangular automaton H is initialized, if for every edge e =(l, a, (g, r), jump, l′) of H, every variable index i ∈ {1, . . . ,n} with Act(l)i 6= Act(l′)iwe have i ∈ jump.

Example 2.2.1. Figure 2.2 shows a simple rectangular automaton H2 = (Loc2,Var2,Lab2,Edge2,Act2, Inv2, Init2). H2 is quite similar to H1, the main difference betweenH2 and H1 is the labeling function. Act1 in H1 contains linear differential equationy = x, which is not restricted to rectangular regions. However all activity functions inAct2 = {{x = 1,y = 2},{x = −1,y ∈ [−2,−1]}} are obviously restricted to rectangularregions. Another difference is that if e4 is taken, then the value of y in H2 will bechanged to a value v ∈ [0,10] non-deterministically. We notice that e2 and e3 havethe same source location, and they could be enabled at same time points. ThereforeH2 is also non-deterministic.

If we remove edge e3 in H2, we will get an initialized rectangular automaton,because for each ei = (l,a,(g,r),jump,l′) ∈ Edge2 with i ∈ {2,4} we have Act2(l)(x) 6=Act2(l′)(x) and Act2(l)(y) 6= Act2(l′)(y).

Given a rectangular automaton H = (Loc,Var,Lab,Edge,Act, Inv, Init) with stateset Σ, a finite run [AD94] % of H is a sequence of transitions

% = s0t1,e1−−−→ s1

t2,e2−−−→ . . .tn,en−−−→ sn

where n ∈ N, (si) = (li,νi) ∈ Σ with 0 ≤ i ≤ n, (ti)1≤i≤n ∈ R≥0, t0 = 0 andei = (li−1,ai,(gi,ri),jumpi,li) ∈ Edge with 1 ≤ i ≤ n, ai ∈ Lab, gi ∈ Rn and ri ∈ Rn.Each transition si−1

ti,ei−−−→ si with 1 ≤ i ≤ n satisfies the following requirements:


l0x = 1y = 2y ≤ 10

l1x = −1

y ∈ [−2,− 1]

x := 0, y := 0

e2y ≥ 5

x := 0,y := 10

e3

y ≥ 5

x := 0, y := 0

e4y ≤ 5

x := 0,y := [0,10]

Figure 2.2: A simple rectangular automaton H2

• νi−1 + fi−1(t) |= gi,

• νi−1 + fi−1([0,t]) ⊆ Inv(i− 1),

• ∀x /∈ jumpi. νi(x) = νi−1 + fi−1(t),

• ∀x ∈ jumpi.νi(x) = ri(x),

where t = ti − ti−1 and fi ∈ Act(li). We say that n is the length of the run %. Weuse Runf (H,s0) to denote the set of all finite runs from s0 in H. Similarly an infiniterun [AD94] % of H is an infinite sequence of transitions.

% = s0t1,e1−−−→ s1

t2,e2−−−→ s2t3,e3−−−→ . . .

with (si)i∈N ∈ Σ, (ti)i∈N+ ∈ R≥0 and (ei)i∈N+ ∈ Edge, satisfying the above require-ments. We use Run(H,s0) to denote the set of all infinite runs from s0.

Definition 2.2.4 (Direct Successors [BK08]). Let H = (Loc,Var,Lab,Edge,Act, Inv,Init) be a rectangular automaton. For s ∈ Σ and e ∈ Edge, the set of direct e-successors of s is defined as:

Post(s,e) = {s′ ∈ Σ | ∃t ∈ R≥0.st,e−−→ s′},

and the set of direct successors of s is defined as:

Post(s) =⋃e∈Edge Post(s,e).

Each state s′ ∈ Post(s,e) is a direct e-successor of s, and each state s′ ∈ Post(s)is a direct successor of s.

Given a rectangular automaton H = (Loc,Var,Lab,Edge,Act, Inv, Init) with stateset Σ, a finite path π(s0, e1 . . . en) of H is a set of all finite runs starting from s0

by taking e1,e2, . . . ,en, we define π(s0, e1 . . . en) = {% = s0t1,e1−−−→ s1

t2,e2−−−→ . . .tn,en−−−→

sn ∈ Runf (H,s0) | ∀i ∈ N.(1 ≤ i ≤ n ∧ ti ∈ R≥0 ∧ si ∈ Post(si−1,ei))}. Aninfinite path π(s0, e1e2 . . .) of H is a set of all infinite runs that start from s0 and takee1,e2, . . . in sequence, we define π(s0, e1e2 . . .) = {% = s0

t1,e1−−−→ s1t2,e2−−−→ s2

t3,e3−−−→ . . . ∈Run(H,s0) | ∀i ∈ N.(i ≥ 1 ∧ ti ∈ R≥0 ∧ si ∈ Post(si−1,ei))}.

2.3. Reachability Analysis 19

Example 2.2.2. We take a rectangular automaton H2 from Example 2.2.1. Assumes0 = (l0,{x = 0,y = 0}) and s1 = (l1,{x = 0,y = 10}) are states of H2. A possiblefinite run of H2 is %1 = s0

3,e3−−→ s07,e3−−→ s0

12,e2−−−→ s1, accordingly π(s0, e3e3e2) isthe finite path fragment with %1 ∈ π(s0, e3e3e2). A possible infinite run of H2 is%2 = s0

3,e3−−→ s06,e3−−→ s0

9,e3−−→ . . ., accordingly π(s0, e3e3 . . .) is the infinite pathfragment with %2 ∈ π(s0, e3e3 . . .).

Given a rectangular automaton H = (Loc,Var,Lab,Edge,Act, Inv, Init), a states ∈ Σ and a transition e ∈ Edge of H, we define I(s,e) = {t ∈ R≥0 | ∃s′ ∈ ΣH.s

t,e−−→s′} an interval that may be spent on s before e taken and I(s) =

⋃e∈Edge I(s,e) an

union of intervals that may be spent on s before any transition taken.

Example 2.2.3. We take a rectangular automaton H2 from Example 2.2.1. Assumes0 = (l0,{x = 0,y = 0}) and s1 = (l1,{x = 0,y = 10}) are states of H2. We haveI(s0, e3) is [2.5,5] and I(s0, e2) is also [2.5,5], so I(s0) is [2.5,5]. As Inv(l1) is truethe system may stay in l1 infinitely many time, we have I(s1,e4) = [2.5,+∞).

Given a rectangular automaton H, if I(s) 6= ∅ for every state s ∈ ΣH is satisfied,we say that H is a non-blocking rectangular automaton. Intuitively, for each states of a non-blocking rectangular automaton there exists at least one jump transitionthat may be taken at some time point. H1 and H2 above are both non-blocking. Inthe rest of this thesis we only consider non-blocking rectangular automata.

2.3 Reachability Analysis

Generally we need to check whether certain functional events occur during the runningtime, thus we verify if certain properties are satisfied by the hybrid automata. Usuallywe consider the following two types of properties:

1. Safety properties: state that “nothing bad will happen”. We verify if all states,which are defined as “bad states”, are not reachable.

2. Liveness properties: state that “something good will happen”. We verify if somestates, which are defined as “good states”, are reached.

In order to verify safety properties, we have to explore all the reachable statesof the hybrid automata and intersect the reachable states with “bad states”. If theintersection is an empty set we say that the safety properties is satisfied, otherwisenot satisfied. This approach is called reachability analysis. Given a hybrid automatonH = (Loc,Var,Lab,Edge,Act, Inv, Init) and s0, s1 are two states of H. We call s1 isreachable from s0 if there is a path from s0 to s1, written as s0 7→∗ s1 [ACH+95].The reachability problem of hybrid automata is to ask, whether s0 7→∗ s1 holds bygiven a hybrid automaton H with its states s0 and s1.

The general reachability problem for hybrid automata is undecidable [ACHH92].Fortunately the time-bounded reachability problem for rectangular automata is de-cidable proved in [BDG+11]. Thus it is meaningful to apply reachability analysis onrectangular automata.


2.3.1 Forward AnalysisInformally speaking forward analysis [ACH+95] is to compute the reachable state setReach+(Init) starting from initial state set Init as Reach+(Init) = {s ∈ Σ | ∃s0 ∈Init. s0 7→∗ s}. As each hybrid automaton has two types of steps which are jump andflow, we discuss one-step reachability separately.

We define the forward time closure 〈P 〉↗l over a set of valuations P ⊆ V at alocation l ∈ Loc as

ν ∈ 〈P 〉↗l ⇔ ∃νpre ∈ V, t ∈ R≥0. νpre ∈ P ∧ ν = Actl[νpre](t) ∧ Invl[ν],

a set of states is called region Rl = {(l,ν) | ν ∈ P}, and we define the region offorward time closure 〈Rl〉↗l as

〈Rl〉↗l = (l, 〈P 〉↗l ),

and we extend to regions of all locations R =⋃l∈LocRl:

〈R〉↗ =⋃l∈Loc

〈Rl〉↗l .

We define the postcondition poste[P ] over a set of valuations P ⊆ V with respectto an edge e = (l, a, µ, l′) as

ν ∈ poste[P ] ⇔ ∃νpre ∈ V. νpre ∈ P ∧ (νpre, ν) ∈ µ ∧ Invl′ [ν],

the region poste[Rl] asposte[Rl] = (l′, poste[P ]),

where Rl = {(l, ν)|ν ∈ P}, and the the set of regions post[R] as

post[R] =⋃

e∈Edge

poste[Rl],

where R =⋃l∈LocRl.

We use reachable region (I 7→∗) ⊆ Σ to denote the set of all reachable states fromstates in the initial region I ⊆ Σ:

s ∈ (I 7→∗)⇔ ∃s0 ∈ I. s0 7→∗ s.

Example 2.3.1. Consider the hybrid automaton H2 in Figure 2.2. We compute thefollowing set by using forward analysis:

• the set 〈x = 0 ∧ y = 0〉↗l0 reachable from x = 0 ∧ y = 0 in location l0:

〈x = 0 ∧ y = 0〉↗l0 =∃xpre∃ypre∃t ∈ R≥0.xpre = 0 ∧ ypre = 0

∧ x = xpre + t ∧ y = ypre + 2t ∧ y ≤ 10

=∃t ∈ R≥0.x = t ∧ y = 2t ∧ y ≤ 10

=x ≥ 0 ∧ 0 ≤ y ≤ 10

• the region 〈Rl0〉↗l0

= (l0, x ≥ 0 ∧ 0 ≤ y ≤ 10)

2.3. Reachability Analysis 21

• the set poste2 [x ≥ 0∧ 0 ≤ y ≤ 10] reachable from x ≥ 0∧ 0 ≤ y ≤ 10 in locationl0 by taking transition e2:

poste2 [x ≥ 0 ∧ 0 ≤ y ≤ 10] =∃xpre∃ypre.xpre ≥ 0 ∧ 0 ≤ ypre ≤ 10 ∧ ypre ≥ 5

∧ x = 0 ∧ y = 10 ∧ y ≥ 0

=x = 0 ∧ y = 10

• the region poste2 [Rl0 ] = (l1, x = 0 ∧ y = 10)

The main idea of forward analysis is to calculate (I 7→∗) ⊆ Σ of states which arereachable from the initial states I. The general forward reachability analysis algorithmshows in Algorithm 1.

Algorithm 1: General forward reachability analysis algorithm [SFÁ19]Input: Set of initial states IOutput: Set of reachable states R

1 R := I2 Rnew := I3 while Rnew 6= ∅ do4 Rnew := Reach(Rnew) \ R5 R := R

⋃Rnew

6 end

2.3.2 Backward AnalysisInformally speaking backward analysis [ACH+95] could be seen as the reverse pro-cess of forward analysis which is to compute the reachable state set Reach−(Goal)starting from a set of target states Goal, written as Reach−(Goal) = {s ∈ Σ | ∃s′ ∈Goal. s 7→∗ s′}. Similarly, we discuss one-step reachability under time and discretesteps separately.

We define the backward time closure 〈P 〉↙l over a set of valuations P ⊆ V at alocation l ∈ Loc as

ν ∈ 〈P 〉↙l ⇔ ∃νpost ∈ V, t ∈ R≥0. νpost = Actl[ν](t) ∧ νpost ∈ P ∧ Invl[ν],

the region 〈Rl〉↙l where Rl = {(l, ν) | ν ∈ P} as

〈Rl〉↙l = (l, 〈P 〉↙l ),

and the the set of region 〈R〉↙ as

〈R〉↙ =⋃l∈Loc

〈Rl〉↙l ,

where R =⋃l∈LocRl.

We define the precondition pree[P ] over a set of valuations P ⊆ V with respect toan edge e = (l′, a, µ, l) as

ν ∈ pree[P ] ⇔ ∃νpost ∈ V. νpost ∈ P ∧ (ν, νpost) ∈ µ ∧ Invl′ [ν],


the region pree[Rl] aspree[Rl′ ] = (l′, pree[P ]),

where Rl′ = {(l′, ν)|ν ∈ P}, and the the set of region pre[R] as

pre[R] =⋃

e=(l′,a,µ,l)∈Edge

pree[Rl′ ],

where R =⋃l′∈LocRl′ .

We use initial region (7→∗ R) ⊆ Σ to denote the set of all states from which statesin the target region R ⊆ Σ are reachable:

s ∈ (7→∗ R)⇔ ∃s′ ∈ R. s 7→∗ s′.

Chapter 3

Stochastic RectangularAutomata

Rectangular automata may be non-deterministic, i.e. if more than one transitions,which have the same source location, are enabled at the same time, then systemwill choose one of the enabled transitions to take non-deterministically. Probabilisticrectangular automata generalize the subclass of rectangular hybrid automata thatrepresent the non-deterministic behavior of the system by probability. Discrete-timeprobabilistic rectangular automata extend rectangular automata with discrete prob-ability distributions over transitions.

3.1 Discrete-Time Probabilistic Rectangular Automata

Definition 3.1.1 (Syntax of Discrete-Time Probabilistic Rectangular Automata [Spr11]).A discrete-time probabilistic rectangular automaton (DTPRA) is a tuple H is a tupleH = (Loc,Var,Lab,Edge,Act, Inv, Init, P ) where:

• (Loc,Var,Lab,Edge,Act, Inv, Init) is a rectangular automaton

• P is a transition probability function P : Edge→ [0,1] such that:

∀l ∈ Loc.

∑e∈Edge

P (l,e) = 1

Definition 3.1.2 (Semantics of Probabilistic Rectangular Automata [Spr11]). Thesemantics of a probabilistic rectangular automaton H = (Loc,Var,Lab,Edge,Act, Inv,Init, P ) also consist of jumps and flows:


e = (l, a, pre, post, jump, l′) ∈ Edge P (l,e) > 0ν ∈ pre ν′ ∈ post ∀i /∈ jump.v′i = vi ν′ ∈ Inv(l′)

(l.ν)a−→ (l′,ν′)

Rulediscrete

24 Chapter 3. Stochastic Rectangular Automata

except conditions of discrete step semantics of rectangular automata, transitione may be taken under the condition that probability of taking transition e atlocation l is greater than zero additionally.

2. Time step semantics are same as that in rectangular automata

Example 3.1.1. Figure 3.1 shows a simple discrete-time probabilistic rectangularautomaton H3 = (Loc3,Var3,Lab3,Edge3,Act3, Inv3, Init3). Compared to the rect-angular automaton H2 in Figure 2.2, H3 resolve the non-determination in H2 byprobability. If y ≥ 5 is satisfied in location l0, the system will reach location l1 withthe probability 0.9 and reach location l0 with the probability 0.1 respectively.

l0x := 1y := 2y ≤ 10

l1x := −1

y :∈ [−2,− 1]

y ≥ 5x := 0, y := 0

e2x := 0,y := 10

0.9e3

x := 0, y := 0

0.1

e4y ≤ 5

x := 0,y := [0,10]

Figure 3.1: A simple discrete-time probabilistic rectangular automaton H3

3.2 Stochastic Rectangular AutomataProbabilistic rectangular automata using rules based on stochastic process are calledstochastic rectangular automata. Intuitively the probability distribution of stochasticrectangular automata has two part, one is over delays, the other is over transitions.In the following we extend stochastic timed automata introduced in [BBB+14] tostochastic rectangular automata. We introduce probability distribution over delaysfirstly.

Definition 3.2.1 (Probability Distribution over Delays of Rectangular Automata).Let H = (Loc,Var,Lab,Edge,Act, Inv, Init) with state set Σ be a non-blocking rect-angular automaton. The probability distribution on state s ∈ Σ over delays is aprobability measure µs over R≥0 which satisfies the following requirements:

(H.1) µs(I(s)) = µs(R≥0) = 1, where I(s) is not empty as H is non-blocking. Theprobability distribution is defined over delays in interval I(s), i.e. the probabilityof all value out of interval I(s) is zero, so we define that µs(R≥0\I(s)) = 0;

(H.2) Let λ be a standard Lebesgue measure on R≥0. We consider the following twosituations:

• If λ(I(s)) = 0, then µs is equivalent to the uniform distribution overpoints of I(s). In this case I(s) is a set of single points, because a pointhas measure zero.

3.2. Stochastic Rectangular Automata 25

• Otherwise, µs is equivalent to λ on I(s). As I(s) is one-dimensional set,λ(I(s)) measures the length of interval I(s).

In both cases we say that two measures µ and µ′ are equivalent, if for everymeasurable set I, µ(I) = 0 ⇐⇒ µ′(I) = 0 holds. Intuitively, we cannot setthe probability of enabling some transitions outgoing from s to zero.

Notice that the probability measure µs is defined on Borel σ − algebra.

Next we introduce the probability distribution over transitions.

Definition 3.2.2 (Probability Distribution over Transitions of Rectangular Automata).Let H = (Loc,Var,Lab,Edge,Act, Inv, Init) with state set Σ be a non-blocking rectan-gular automaton. Let ps be a probability distribution of state s over transitions. Byassigning a weight w(e) > 0 to each transition e ∈ Edge the probability of taking e isdefined as:

e is enabled in s ⇐⇒ ps(e) = w(e)∑e′ is enabled w(e′) > 0.

We extend rectangular automata to stochastic rectangular automata by addingprobability distribution over delays and transitions.

Definition 3.2.3 (Stochastic Rectangular Automata). A stochastic rectangular au-tomaton (SRA) is a tuple H = (Loc,Var,Lab,Edge,Act, Inv, Init,µ, w, ιinit) with stateset Σ where:

• (Loc,Var,Lab,Edge,Act, Inv, Init) is a rectangular automaton,

• µ is a set of probability distribution over delays: µ =⋃s∈Σ µs where µs is defined

as in Definition 3.2.1,

• w is a set of weight functions: w =⋃e∈Edge w(e), the probability ps(e) is defined

as in Definition 3.2.2,

• ιinit is a initial distribution over states: ιinit(s) = 0 for all states s /∈ Init and∑s∈Σ ιinit(s) = 1.

We will discuss the reachability in the rest of this thesis, if the set of target statesis not reachable from initial states after infinitely many steps, i.e. there is no suchfinite run that ever reaches one of target states, we say that target states are notreachable. In other words once there exists a finite run that reaches at least one oftarget states, we say that the set of target states is reachable. So what we reallyinterested in is the probability distribution over finite paths that may reach the setof target states.

Definition 3.2.4 (Probability Distribution over Finite Paths of SRA). Let H =(Loc,Var,Lab,Edge,Act, Inv,µ, w, ιinit) with state set Σ be a stochastic rectangular au-tomaton and let π(s0, e1 . . . en) be a finite path of H. The probability of π(s0, e1 . . . en)starting from s0 and taking e1,e2, . . . ,en in sequence is defined as:

PH(π(s, e1e2 . . . en)) =

∫t∈I(s,e1)

ps+t(e1) · PH(π(s′,e2 . . . en))dµs(t)

where s+t represents the state that stays at the location of s and changes the valuationaccording to the activities of the location. We use s t−→ s + t

e−→ s′ to denote the


transition over states which takes flow st−→ s + t and jump s + t

e−→ s′ in sequence.Initially, we define PH(π(s0)) = 1.

We define the probability that the system starts from s0 and takes e1,e2, . . . ,en insequence as:

PH((s, e1e2 . . . en)) = ι(s) · PH(π(s, e1e2 . . . en)).

l0x = 1y = 2y ≤ 10

l1x = −1

y ∈ [−2,− 1]

e2 : 1y ≥ 5

x := 0,y := 10

e3 : 2

y ≥ 5

x := 0, y := 0

e4 : 1y ≤ 5

x := 0,y := [0,10]

Figure 3.2: A simple stochastic rectangular automaton H4

Example 3.2.1. Figure 3.2 shows a simple stochastic rectangular automaton H4 =(Loc4, V ar4Lab4, Edge4, Act4, Inv4, Init4,µ, w, ιinit). Assume that s0 = (l0,{x =0,y = 0}) is a state of H4, µs0 is uniform distribution over I(s0) and ιinit(s0) = 1.The weight of each transition is marked with numbers in blue. The probability ofstarting from s0 and taking e3,e3 in sequence is:

PH4((s0,e3e3)) =ι(s0) · PH4

(π(s0,e3e3))

=1 ·∫t∈I(s0,e3)

ps0+t(e3) · PH4(π(s0,e3)dµs0(t)

=

∫ 5

2.5

w(e3)

w(e2) + w(e3)· PH4(π(s0,e3))d

1

|I(s0)|· t

=

∫ 5

2.5

2

3· PH4

(π(s0,e3))d1

2.5· t

=2

3

∫ 5

2.5

(∫u∈I(s0,e3)

ps0+u(e3) · PH4(π(s0))dµs0(u)

)d

1

2.5· t

=2

3

∫ 5

2.5

(w(e3)

w(e2) + w(e3)· PH4

(π(s0))d1

|I(s0)|· u)d

1

2.5· t

=2

3

∫ 5

2.5

(∫ 5

2.5

2

3· PH4(π(s0))d

1

2.5· u)d

1

2.5· t

=2

3· 2

3

∫ 5

2.5

(∫ 5

2.5

1d1

2.5· u)d

1

2.5· t

=2

3· 2

3

∫ 5

2.5

1d1

2.5· t

3.2. Stochastic Rectangular Automata 27

=2

3· 2

3

=4

9

The probability of starting from s0 and taking transition e3 n-times is PH4((s0,e

n3 )) =

1 ·(

23

)n with n ∈ N. If n is infinitely close to positive infinity, then the probabilityPA(π((s0,e

n3 )) is infinitely close to zero, which means that the probability of continu-

ously taking transition e3 infinitely many times is zero.

Chapter 4

Reachability Analysis

4.1 Probability over Finite PathGiven a stochastic rectangular automatonH = (Loc,Var,Lab,Edge,Act, Inv, Init,µ, w,ιinit) with state set Σ and a finite path π(s0, e1 . . . en). We calculate the probabilityPH(π(s0,e1e2 . . . en)) as following:

PH(π(s,e1e2 . . . en)) =

∫t∈I(s,e1)


where s t−→ s+ te−→ s′ with s,s+ t,s′ ∈ Σ, t ≥ 0 and e ∈ Edge, and initially we define

PH(π(s)) = 1 for every state s ∈ Σ. The most important part is the calculation ofinterval I(s,e) that may be spent on state s before transition e taken.

4.1.1 Interval CalculationIntuitively we could get the intersection of current valuation, activities, invariants,guards and resets, then eliminating variables except the time variable. Intersectionof current valuation, activities and invariants is the set of all valuations that may bereachable in current location of current state, which is similar to forward time closure.

We define the interval [(s,e)] over time with a state set S = (l,φinit) before takingtransition e = (l,a,(guard,reset),jump,l′) in location l as:

t ∈ [(s,e)] ⇔ ∃νpre, ν, νpost ∈ V. 0 ≤ t ∧ νpre |= φinit ∧ ν = Actl[νpre](t) ∧ Invl[ν]

∧ guard[ν] ∧ νpost = reset[ν] ∧ Invl′ [νpost]

Stochastic timed automata is a subclass of stochastic rectangular automata, whosevariables are a finite set of clocks. Clocks are a set of variables, that change with rateone and can only be inspected and reset to zero. Thus a clock indicates the amount oftime after reseting. As our point of Section 4.1 is to describe the calculation processclearly, our examples in Section 4.1 deal with stochastic timed automata that arerelatively simpler than stochastic rectangular automata in terms of calculation.

Example 4.1.1. Figure 4.1 shows a simple stochastic timed automaton A1 with asingle clock {x} and two locations {l0,l1}. The weight of each transition is markedwith numbers in blue. We consider transition e0 and e1: by taking e0 clock x will not

30 Chapter 4. Reachability Analysis

be reseted, however by taking e1 clock x will be reseted to zero. We compute I(s0,e0)and I(s0,e1) where s0 is a state to find how reseting influences the interval calculationresult:

• the interval [(s0,e0)] from state s0 = (l0,{x = 0}) before taking e0 which doesnot reset x:

[(s0,e0)] =∃xpre, x, xpost. 0 ≤ t ∧ xpre = 0 ∧ x = xpre + t ∧ x ≤ 10

∧ 5 ≤ x ∧ xpost = x ∧ xpost ≤ 8

=∃x, xpost. 0 ≤ t ∧ x = 0 + t ∧ x ≤ 10

∧ 5 ≤ x ∧ xpost = x ∧ xpost ≤ 8

=∃xpost. 0 ≤ t ∧ t ≤ 10 ∧ 5 ≤ t ∧ xpost = t ∧ xpost ≤ 8

=0 ≤ t ∧ 5 ≤ t ∧ t ≤ 8 ∧ t ≤ 10

=5 ≤ t ≤ 8,

so I(s0,e0) = [5,8];

• the interval [(s0,e1)] from state s0 = (l0,{x = 0}) before taking e1 which resetsx:

[(s0,e0)] =∃xpre, x, xpost. 0 ≤ t ∧ xpre = 0 ∧ x = xpre + t ∧ x ≤ 10

∧ 5 ≤ x ∧ xpost = 0 ∧ xpost ≤ 8

=∃x, xpost. 0 ≤ t ∧ x = 0 + t ∧ x ≤ 10

∧ 5 ≤ x ∧ xpost = 0 ∧ xpost ≤ 8

=∃xpost. 0 ≤ t ∧ t ≤ 10 ∧ 5 ≤ t ∧ xpost = 0 ∧ xpost ≤ 8

=0 ≤ t ∧ 5 ≤ t ∧ t ≤ 10 ∧ 0 ≤ 8

=5 ≤ t ≤ 10,

so I(s0,e1) = [5,10];

We find that if clock x is reseted by taking transition e1 to reach location l1 from loca-tion l0, the restriction Invl1 on x does not influence the result of interval calculation;otherwise the result depends on Invl1 on x.

l0x ≤ 10

l1x ≤ 8

x := 0

e0 : 1 x ≥ 5

e1 : 2

x ≥ 5 x := 0

e2 : 1x ≥ 6 x := 0

Figure 4.1: A simple stochastic timed automaton A1

4.1. Probability over Finite Path 31

4.1.2 Transition Probability Calculation

Once I(s,e) is determined, the probability distribution over transitions can also becalculates. For each transition e′ if the intersection of I(s,e) and I(s,e′) is not empty,we say that transition e′ is enabled at some time point in I(s,e). We use I∩(s,e) ={I(s,e) ∩ I(s,e′) | ∀e′ ∈ Edge. I(s,e) ∩ I(s,e′) 6= ∅} to denote a set of intersections ofI(s,e) and I(s,e′) with e′ enabled at some time point in I(s,e). However we noticethat for every possible enabled transitions e′, if I(s,e) ∩ I(s,e′) 6= I(s,e), we need todivided I(s,e) into:

• I(s,e) ∩ I(s,e′) in which e′ is enabled,

• I(s,e)\(I(s,e) ∩ I(s,e′)) in which e′ is not enabled.

Therefore, it is essential to construct a set of intervals for transitions, that each transi-tion is either enabled or not enabled in each interval of the set, rather than enabled inpart of the interval. We apply Algorithm 2 to separate the interval I(s,e) into disjointintervals, such that for each transition and each disjoint interval, transition is eitherenabled during the interval or not enabled at any time point of the interval. We useIdisj(s,e) = {I | I ⊆ I(s,e)} with ∪I∈IdisjI = I(s,e) and ∀I1,I2 ∈ Idisj . I1 ∩ I2 = ∅to denote resulted disjoint intervals, E+(s,I) = {e′ | I ⊆ I(s,e′)} to denote the setof enabled transitions in interval I, and I+(s,e) = {(I,E+(s,I)) | I ∈ Idisj(s,e)} todenote the pair of interval and set of enabled transition in it.

Algorithm 2: Disjoint Intervals CalculationInput: Set of intervals I∩(s,e), interval I(s,e)Output: Set of new intervals Idisj

1 begin2 Idisj := ∅;3 Intervals := I∩(s,e) ∪ I(s,e);4 while Intervals 6= ∅ do5 I := Intervals.front();6 Intervals.pop();7 i := Intervals.begin();8 while i 6= Intervals.end() do9 tempI := Intervals.at(i);

10 interI := I ∩ tempI;11 if interI 6= ∅ then12 if I\interI 6= ∅ then13 if Intervals.find(I\interI) = NULL then14 Intervals.push(I\interI);

15 if tempI\interI 6= ∅ then16 if Intervals.find(tempI\interI) = NULL then17 Intervals.push(tempI\interI);

18 I := interI ;19 Intervals.erase(i);

20 i++;

21 Idisj .push(I)


Example 4.1.2. Consider the stochastic timed automaton A1 in Figure 4.1. InExample 4.1.1 we calculate I(s0,e0) and (s0,e1) with s0 = (l0,{x = 0}), and theresults are [5,8] and [5,10] respectively. We calculate the probability ps0+t(e1) witht ∈ I(s0,e1) by applying Algorithm 2 we have:

• I∩(s0,e1) = {[5,10],[5,8]},

• Idisj(s0,e1) = {[5,8],(8,10]},

• E+(s0,[5,8]) = {e0,e1} and E+(s0,(8,10]) = {e1},

• I+(s,e) = {([5,8],{e0,e1}),((8,10],{e1})},

• t ∈ [5,8]: ps0+t(e1) = w(e1)∑e∈E+(s0,[5,8]) w(e) = w(e1)

w(e0)+w(e1) = 23 ,

• t ∈ (8,10]: ps0+t(e1) = w(e1)∑e∈E+(s0,(8,10]) w(e) = w(e1)

w(e1) = 1.

4.1.3 Path Probability CalculationWe refine the calculation of probability PH(π(s,e1e2 . . . en)) as following:

PH(π(s,e1e2 . . . en))

=

∫t∈I(s,e1)


=∑

(I′,E+(s,I′))∈I+(s,e1)

(∫t∈I′


)

=∑

(I′,E+(s,I′))∈I+(s,e1)

(∫t∈I′

w(e1)∑e′1∈E+(s,I′) w(e′1)

· PH(π(s′,e2 . . . en))dµs(t)

)

where s t−→ s+ te−→ s′ with s,s+ t,s′ ∈ Σ, t ≥ 0 and e ∈ Edge, and initially we define

PH(π(s)) = 1 for every state s.

Example 4.1.3. Consider the stochastic timed automaton A1 in Figure 4.1. InExample 4.1.2 we have I+(s,e) = {([5,8],{e0,e1}),((8,10],{e1})}. Intuitively there aretwo disjoint interval sets, which are I0 = [5,8] and I1 = (8,10]. Assume that s0 =(l0,{x = 0}) is a state of A1, µs0 is uniform distribution over I(s0) and ιinit(s0) = 1.The weight of each transition is marked with numbers in blue in Figure 4.1. Theprobability of starting from s0 and taking e1 is:

PA1((s0,e1)) =ι(s0) · PA1(π(s0,e1))

=1 ·∫t∈I(s0,e1)

ps0+t(e1) · PA1(π(s0)dµs0(t)

=

∫t∈I0


+

∫t∈I1


=

∫ 8

5

w(e1)

w(e0) + w(e1)· PA1

(π(s0))d1

|I(s0)|· t

4.2. Forward Analysis for Probabilistic Rectangular Automata 33

+

∫ 10

8

w(e1)

w(e1)· PA1

(π(s0))d1

|I(s0)|· t

=

∫ 8

5

2

3· PA1(π(s0))d

1

5· t+

∫ 10

8

1 · PA1(π(s0))d1

5· t

=

∫ 8

5

2

3· 1d1

5· t+

∫ 10

8

1 · 1d1

5· t

=2

3· 3

5+

2

5

=12

15

4.2 Forward Analysis for Probabilistic RectangularAutomata

Intuitively our analysis is based on the idea of computation tree. The nodes of thetree denote every reachable state set. For each state set s, if s′ is reachable from sby taking transition e, we say that s′ is a child of s. A path from node s to s′ of thetree denote a transition s

t,e−−→ s′ with state sets s,s′, time t ≥ 0, and transition e.Figure 4.2 illustrates how the computation tree constructed (bad states are markedin red). The main difficulties during our implementation is to solve the followingsituations in Figure 4.2 properly:

s0

s1

s3

...

t3,e3

s4

t4,τ

t1,e1

s2

s′′5s′5

s8

...

t8,e8

t5,e5

s6

t6,e6

s7

s9

s10

t10,e10

...s11

t11,e11

t9,e9

t7,e7

t2,e2

s5

Figure 4.2: A forward analysis computation tree

1. Time-step successor contains bad states: after time t4 and taking τ -transitionfrom s1 a bad state s4 is reached; As τ -transition does not change the location,s4 stays in the location of s1; we need not to calculate the successors of s4.

2. Jump-step successors contain bad states:

• transition s2t6,e6−−−→ s6 is simple to deal with. As s6 is a bad state, we

simply ignore all successors of s6.


• for transition s2t5,e5−−−→ s5 we notice that only part of s5 is bad. Before

doing further calculation we separate s5 into s′5 and s′′5 with s′5 ∪ s′′5 = s5

and s′5∩s′′5 = ∅, where s′′5 is the intersection of s5 and bad states. Thereforewe simplify the calculation by ignoring all successors of s′′5 .

3. Successors have been visited before:

• s11 is one of the successors of s9, besides s11 equals to s7 and s7 is one ofthe predecessors of s9; In other words, if there exists a loop along the path,we only need to calculate every states of the loop once.

• s10 is one of the successors of s9 and s10 equals to s8, however there is nosuch path that s8 −→∗ s9; To solve this problem we construct an unboundedqueue to store visited states, therefore if s8 is visited we need not to docalculation on s10 which is the successor of s9.

4.2.1 Implementation

The basic idea of step successor calculation is depicted in Algorithm 3. Time-stepsuccessor and jump-step successor are calculated in sequence. Line 4 to 9 and Line 12to 15 describe how we deal with the situation if the time-step successor st contains badstates and the jump-step successor s′ contains bad states respectively. We separatethe successors into two parts, one called sbad is the intersection of st and bad states.We do not need to do further calculation on sbad.

Algorithm 3: Forward ReachabilityInput: State: s, bad states: BadOutput: Set of pairs Results = {(safe,(e,s′))}

1 begin2 Results := ∅;3 calculate time-step successor st according to s;4 if st ∩Bad 6= ∅ then5 sbad := st ∩ Bad;6 e := τ ;7 s′ := sbad;8 Results.push((false,(e,s′)));9 st := st\sbad;

10 calculate jump-step successors JumpSucc according to st;11 for (e,s′) ∈ JumpSucc do12 if s′ ∩ Bad 6= ∅ then13 sbad := s′ ∩ Bad;14 Results.push((false,(e,sbad)));15 s′ := s′\sbad;16 Results.push((true,(e,s′)));

The significant calculation is how to get S\Sbad where S = (l,φ), Sbad = (l,φbad) ∈Σ and Sbad is bad state set. Assume that φbad = a0∧a1∧ . . .∧an with n ∈ N, in orderto calculate S\Sbad we need to calculate φ\φbad. The problem is that φ∧qφbad may

4.3. Backward Analysis and Probability Calculation for Probabilistic RectangularAutomata 35

contain disjunctions, which we need to avoid. The idea of eliminating disjunctions isto separate φ\φbad into subsets φ0 = {φ∧qa0}, φ1 = {φ ∧ a0∧qa1}, . . . , φn = {φ ∧. . .∧ an−1∧qan}. Thus we get a set of states S0 = (l,φ0), S1 = (l,φ1),. . . ,Sn = (l,φn).The successor calculation is then applied on S0, . . . , Sn respectively.

The forward analysis is depicted in Algorithm 4. The forward analysis starts frominitial states, and we use breadth-first search to implement the tree construction.For each unprocessed state we use forward reachability calculation described aboveto get the corresponding transitions and successors. Then we add the successors ofprocessed state as a child of current node. If the successor is processed before we avoidto process second time which is indicated in Line 18 to 19. At the end we collect allreachable bad states.

Algorithm 4: Forward AnalysisInput: Hybrid Automaton HAOutput: Set of unsafe states: UnsafeStates, reach tree: ReachTree

1 begin2 Init is the set of initial states of HA;3 Bad is the set of bad states of HA;4 Reached = ToProcess := ∅;5 ReachTree := ∅;6 UnsafeStates := ∅;7 for s0 ∈ Init do8 ToProcess.push(s0);9 add s0 as a root of the tree ReachTree;

10 while !ToProcess.empty() do11 s := ToProcess.front();12 ToProcess.pop();13 Reached.push(s);14 Results := ForwardReachability(s,Bad);15 for (safe, (e,s′)) ∈ Results do16 add s′ as a child of s in the tree ReachTree;17 if safe then18 if s′ /∈ Reached then19 ToProcess.push(s′);

20 else21 UnsafeStates.push(s′) ;

4.3 Backward Analysis and Probability Calculationfor Probabilistic Rectangular Automata

After collecting unsafe states, we could do backward analysis as well as probabilitycalculation. Figure 4.3 illustrates how backward analysis works based on computationtree. Figure 4.3(a) depicts a computation tree constructed by forward analysis, thereare two unsafe paths π1 = s0

t1,e1−−−→ s1t4,e4−−−→ s4

t7,e7−−−→ s7 and π2 = s0t3,e3−−−→ s3

t6,e6−−−→ s6,


among which π1 is the longest. Figure 4.3(b) depicts that we get s′4 by one steppredecessor calculation on longest path π1. If there are more than one paths whichare longest, we calculate one step predecessors of the longest paths at the same level.Figure 4.3(c) depicts that both π′1 = s0

t1,e1−−−→ s1t4,e4−−−→ s′4 and π2 are longest paths, we

process them in sequence in this step. Figure 4.3(d) depicts that s′1 of π′′1 = s0t1,e1−−−→ s′1

and s′3 of π′2 = s0t3,e3−−−→ s′3 have the same parent, the predecessor s′0 is dependent not

only on s′1 but also on s′3.

s0

s1

s4

s7

t7,e7

t4,e4

s5

t5,e5

t1,e1

s2

t2,e2

s3

s6

t6,e6

t3,e3

π1

π2

(a)

s0

s1

s′4

s7

t7,e7

t4,e4

s5

t5,e5

t1,e1

s2

t2,e2

s3

s6

t6,e6

t3,e3

π1

π2

(b)

s0

s′1

s′4

t4,e4

s5

t5,e5

t1,e1

s2

t2,e2

s′3

s6

t6,e6

t3,e3

π′1

π2

(c)

s′0

s′1

t1,e1

s2

t2,e2

s′3

t3,e3

π′′1 π′

2

(d)

Figure 4.3: A simple backward analysis based on computation tree

4.3.1 Implementation

Algorithm 5 illustrates the backward analysis along with probability calculation. Wefirst find a longest path and bad state sbad which is indicated in Line 6. Line 17 toLine 20 depict that the probability of the state is dependent on all its children.

4.4 Direct Backward Analysis for Probabilistic Rect-angular Automata

In Section 4.2 and Section 4.3 we propose a reachability analysis approach by firstgoing through all reachable states by forward analysis and then calculating the prob-ability from reached bad states by backward analysis. This approach gives a complete

4.4. Direct Backward Analysis for Probabilistic Rectangular Automata 37

Algorithm 5: Backward Analysis and Probability CalculationInput: Hybrid Automaton: HA, set of unsafe states: UnsafeStates, tree

constructed after forward analysis: ReachTreeOutput: The probability to reach bad states: probunsafe

1 begin2 ιinit is a initial distribution of HA;3 probunsafe := 0;4 probs := ones();5 while !UnsafeStates.empty() do6 sbad is the state whose path from initial state is the longest;7 treeNode is corresponding node of sbad;8 while treeNode→ parent() ! = NULL do9 ebad is the transition to reach treeNode from the parent node

treeNode→ parent();10 calculate jump-step predecessor st according to sbad and ebad;11 calculate time-step predecessor sprebad according to st;12 spre is the state of the parent node treeNode→ parent();13 s := sprebad ∩ spre;14 if ebad = τ then15 probs[s] := probs[sbad];16 else17 if probs[s] = 1 then18 probs[s] :=

∫t∈I(s,ebad)

ps+t(ebad) · probs[sbad]dµs(t);19 else20 probs[s] :=

probs[s] +∫t∈I(s,ebad)

ps+t(ebad) · probs[sbad]dµs(t);

21 sbad := s;22 treeNode := treeNode→ parent();

23 probunsafe := probunsafe + probs[s] · ιinit(s)

view of reachable states. However, sometimes we do not need to collect all informa-tions of reachable states. Thus we consider to do backward analysis directly. Theidea of backward analysis is also tree based, but bottom to top. The constructionof the tree is similar to that in Section 4.2, we do not repeat it. We introduce theimplementation directly.

Algorithm 6 shows the basic idea of backward reachability calculation, comparingto forward reachability calculation in Algorithm 4 we start from bad state to calculateits predecessors and once initial states are reached we do not calculate the predecessorsany more.

Algorithm 7 illustrate the tree construction and probability calculation by applyingbackward analysis directly.


Algorithm 6: Backward ReachabilityInput: Bad state: sbad, initial states InitialOutput: Set of pairs Results = {(initial,(s′,e))}

1 begin2 Results := ∅;3 calculate time-step predecessor st according to sbad;4 if st ∩ Initial 6= ∅ then5 sinit := st ∩ Intial;6 e := τ ;7 Results.push((true,(sinit,e));8 st := st\sinit;9 calculate jump-step successors JumpSucc according to st;

10 for (s′,e) ∈ JumpSucc do11 if s′ ∩ Initial 6= ∅ then12 sinit := s′ ∩ Initial;13 Results.push((true,(sinit,e));14 s′ := s′\sinit;15 Results.push((false,(s′,e)));

4.4. Direct Backward Analysis for Probabilistic Rectangular Automata 39

Algorithm 7: Backward AnalysisInput: Hybrid Automaton: HAOutput: Set of unsafe states: UnsafeStates, reach tree: ReachTree

1 begin2 Init is the set of initial states of HA;3 Bad is the set of bad states of HA;4 Reached = ToProcess := ∅;5 ReachTree := ∅;6 probunsafe := 0;7 probs := ones();8 for sbad ∈ Bad do9 ToProcess.push(sbad);

10 add sbad as node the tree ReachTree;

11 while !ToProcess.empty() do12 sbad := ToProcess.front();13 ToProcess.pop();14 Reached.push(sbad);15 Results := BackReachability(sbad,Init);16 for (initial, (s′,e)) ∈ Results do17 add s′ as a parent of sbad in the tree ReachTree;18 if e = τ then19 probs[s

′] := probs[sbad];20 else21 if probs[s′] = 1 then22 probs[s

′] :=∫t∈I(s′,e) ps+t(e) · probs[sbad]dµs′(t);

23 else24 probs[s

′] := probs[s′] +

∫t∈I(s′,e) ps+t(e) · probs[sbad]dµs′(t);

25 if !initial then26 if s′ /∈ Reached then27 ToProcess.push(s′);

28 else29 probunsafe := probunsafe + probs[s

′] · ιinit(s)

Chapter 5

Results

The basic idea of reachability analysis on stochastic rectangular automata is presentedin previous chapter. The library our implementation based is called HyPro [SAMK17].HyPro provides the implementation of state set representations for hybrid automata.

5.1 Simple Test Example

In oder to give a brief idea of how the program runs, we introduce a simple testexample firstly. Figure 5.1 shows a stochastic rectangular automata with two locationsl0, l1 and one variables x. Location l0 has two out-going transitions e0, e1 to reachl1, l0 respectively, and location l1 has one out-going transition e2 to reach l0.

l0x = [1,2]

l1x = [3,5]

e0 : 1x ∈ [4,10]

x := [−1,1]

e1 : 2

x ∈ [0,5]

x := [−1,1]

e2 : 1x ∈ [0,10]

x := [−1,1]

Figure 5.1: A simple stochastic rectangular automaton H1

5.1.1 Reachable Bad State Analysis

Assume that the initial state is s0 = (l0,{x ∈ [−1,1]}) and the bad state is sbad =(l1,{x ∈ [6,8]}). We apply the forward analysis introduced in Section 4.2 to constructa reach tree. Figure 5.2 shows the construction of a reach tree by applying forwardanalysis. To minimize the figure we eliminate the constraints which do not effect thevariable value. For example, assume that the constraint set is {[0,1],[−1,7]}, then we

42 Chapter 5. Results

only use {[0,1]} in the following reach tree figure. Figure 5.2(a) shows that we addthe initial state s0 as the root of the tree. In Figure 5.2(b) we add jump successorss1, s2 as child nodes of s0. As s2 = s0 we mark s2 as a processed node and donot calculate further successor of s2 any more. Figure 5.2(c) shows that after time-successor calculation the bad state s3 is reached. We do not need to calculate thesuccessors of bad state s3. As mentioned in Section 4.2.1 we separate the state set,which does not contain bad state, into substate sets to avoid disjunction. s4, s5 inFigure 5.2(c) are two substates after separation, and the jump-successors of s4, s5

are s6, s7. For the reason that s6 = s0 and s7 = s0 we mark s6 and s7 as processednodes. Thus forward analysis is finished.

s0l0

[−1,1]

(a)

s0l0

[−1,1]

s1l1

[−1,1]

e0

s2l0

[−1,1]

e1

(b)

s0l0

[−1,1]

s1l1

[−1,1]

s3l1

[6,8]

τ

s4l1

[−1,6)

s6l0

[−1,1]

e2

τ

s5l1

(8,∞)

s7l0

[−1,1]

e2

τ

e0

s2l0

[−1,1]

e1

(c)

Figure 5.2: Computation tree after forward analysis

After the reach tree construction we apply backward analysis and calculate theprobability at the same time. Figure 5.4 shows that we apply backward analysisstarting from bad state s3. In Figure 5.3(a) we do backward reachability analysis

5.1. Simple Test Example 43

one step back. We get the predecessor s′1 and the probability from s′1 to reach s3 is23 . We do one more step backward reachability analysis and get the predecessor s0

in Figure 5.3(b), which is the initial state. The probability of reaching s3 from s0

through s′1 is 1333

s′1l1

[−1,8]

s3l1

[6,8]

τ

prob = 1

prob = 23

(a)

s0l0

[−1,1]

s′1l1

[−1,8]

s3l1

[6,8]

τ

e0

prob = 1

prob = 23

prob = 1333

(b)

Figure 5.3: Computation tree after backward analysis

If we use direct backward analysis introduced in Section 4.4, we get a similarreach tree as shown in Figure 5.4. The only difference is that s′1 by applying directbackward analysis is (l1,(∞,8]), because by applying direct backward analysis we donot have any restrictions of predecessors, which is given by forward analysis when weapply first forward analysis and then backward analysis.

5.1.2 Not Reachable Bad State Analysis

Assume that the initial state is s0 = (l0,{x ∈ [−1,1]}) and the bad state is sbad =(l1,{x ∈ [−10, − 9]}). We first apply the forward analysis introduced in Section 4.2to construct a reach tree. We get a reach tree shown in Figure 5.4(a). The initialstate s0 is the root of the tree, and after traveling through all reachable state we findthe bad state sbad is not reachable. There is no need to do backward analysis, sincethe bad state is not reachable. Then we apply direct backward analysis introducedin Section 4.4, the reach tree is shown in Figure 5.4(b). Instead of traveling throughall reachable states, we only do one step backward reachability analysis to find thatthe bad state sbad is not reachable.

5.1.3 Comparing the Two Approaches

Section 5.1.1 shows that the forward analysis offers more execution information of theprocess, which may reduce a part of the calculation when we do backward analysis.Section 5.1.2 shows that if only information we need to know is the probability toreach bad states, then apply direct backward analysis may be a better approach.Thus for different scenarios we could choose one proper approach to apply. The basic


s0l0

[−1,1]

s1l1

[−1,1]

s3l0

[−1,1]

e2

e0

s2l0

[−1,1]

e1

(a)

NULL

sbad

l1[−10,− 9]

(b)

Figure 5.4: Computation tree after backward analysis

principle is that if we only need to analysis the reachability of bad states, we applydirect backward analysis , otherwise first apply forward analysis and then backwardanalysis.

5.2 A Two Room Shared Heater ExampleUPPAAL [upp] is a tool to model, validate and verificate the real-time systems. Someof the case studies modeled in UPPAAL are hybrid automata, which we may use asbenchmarks after some adaption. A two room shared heater [DLL+15] is a StatisticalModel Checking(SMC) example which can be analyzed by UPPAAL. In this example,we consider a heater which is shared by two independent rooms. At any time at mostone room can be heated. The model shown in [DLL+15] is a set of parallel hybridautomata, the first step of adaption is to build the parallel composition of hybridautomata.

As committed location in UPPAAL does not effect the variable values, we buildthe parallel composition of hybrid automata by ignoring committed location. We getthe automata shown in Figure 5.5. As our purpose is to do reachability analysis,we eliminate the locations which are not reachable from the initial location and getthe automata shown in Figure 5.6. Another significant adaption is to modify thenon-rectangular labeling functions in [DLL+15] to labeling functions in rectangularregions. We choose proper rectangular regions to simulate the temperature changing.The final stochastic rectangular automata is shown in Figure 5.7, and for simplifi-cation we use OFF , ONr0 , ONr1 to represent the location (OFF, OFFr0 , OFFr1),(ON0, ONr0 , OFFr1), (ON1, OFFr0 , ONr1) in Figure 5.6 respectively. Assume thatthe initial state is (OFF,{x = 0,T0 ∈ [20,25],T1 ∈ [20,25]}), the probability that theroom r0 is heated to T0 = 70 by switch on the heater once time is 0.000030, close tozero. The constructed reach tree is shown in Figure 5.8.

5.2. A Two Room Shared Heater Example 45

OFF, OFFr0 , OFFr1ON0, ONr0 , OFFr1 ON1, OFFr0 , ONr1

OFF, OFFr0 , ONr1

ON0, ONr0 , ONr1

OFF, ONr0 , OFFr1

ON1, ONr0 , ONr1

Figure 5.5: The parallel composition of hybrid automata of a two room shared heaterexample.

OFF, OFFr0 , OFFr1ON0, ONr0 , OFFr1 ON1, OFFr0 , ONr1

Figure 5.6: The parallel composition of hybrid automata of a two room shared heaterexample after eliminate unreachable locations.

OFFx := 1

T0 := [−8,0]

T1 := [−8,0]x ≤ 4

ONr0x = 0

T0 = [0,10]

T1 = [−8,0]expontialrate : 2

ONr1x = 0

T0 = [−8,0]

T1 = [0,10]expontialrate : 1e0 : 1

e2 : 1

x := 0

e1 : 3

e3 : 1

x := 0

Figure 5.7: The stochastic rectangular automata of a two room shared heater example.


OFFx = 0

T0 ∈ [20,25]T1 ∈ [20,25]

ONr0x ∈ [0,4]

T0 ∈ [−12,25]T1 ∈ [−12,25]

ONr0x ∈ [0,∞)

T0 ∈ [−12,70)T1 ∈ (−∞,25]

OFFx = 0

T0 ∈ [−12,70)T1 ∈ (−∞,25]

...

e2

τ

ONr0x ∈ [0,∞)T0 ∈ [70,∞)T1 ∈ (−∞,25]

τ

e0

ONr1x ∈ [0,4]

T0 ∈ [−12,25]T1 ∈ [−12,25]

OFFx = 0

T0 ∈ (−∞,25])T1 ∈ [−12,∞)

ONr0x ∈ [0,4]

T0 ∈ (−∞,25]T1 ∈ [−44,∞]

OFFx = 0

T0 ∈ (−∞,∞)T1 ∈ [−44,∞]

...

e2

e0

ONr1x ∈ [0,4]

T0 ∈ (−∞,25]T1 ∈ [−44,∞)

...

e1

e3

e1

prob = 1

prob = 0.000123

prob = 0.000030

Figure 5.8: The tree constructed after forward analysis for a two room shared heaterexample.

Chapter 6

Conclusion

6.1 Summary

In this thesis we introduce the reachability analysis for stochastic rectangular au-tomata. Stochastic rectangular automata, which is an extension of stochastic timedautomata, is a kind of probabilistic rectangular automata with continuous-time prob-ability distribution. The probability distribution of stochastic rectangular automatahas two parts, one is over delays and the other is over transitions. The probabilitydistribution over delays is continuous. The probability distribution over transitionsis dependent on enabled transition in a given time interval.

The most important part of reachability analysis implementation is time intervalcalculation. For a state s, the time interval before taking transition e to s′ is deter-mined by eliminating the variables expect time in intersection of the states valuation,activities, invariants, guards and resets. Then the probability calculation is based onthe time intervals.

One approach to implement reachability analysis is to do forward and backwardanalysis in sequence. Forward analysis is to travel through all reachable states bybreadth-first search, after that it builds a computation tree for processed states. Ac-cording to the reach tree constructed by forward analysis we do backward analysisfrom reachable bad states. For each step we calculate the predecessors of the currentstate and the probability of moving from each predecessor to current state respec-tively. Once the root of the reach tree is arrived, the backward analysis is completedand we get the probability of starting from initial state to reach at least one bad state.

Another approach to implement reachability analysis is to do backward analysisdirectly. Starting from one of the bad states, we do backward reachability calculationstep by step, in the meanwhile calculate the probability of reaching a bad state fromcurrently processing state. Once the predecessor is marked as processed states, werepeat backward reachability calculation from one of unprocessed bad states. Untilall bad states are marked as a processed states, we sum up the probability of movingfrom the initial states to bad states.

The two approaches are applied in different scenarios. In Chapter 5 we compare thetwo approaches by applying them for the same example. None of them is absolutelyefficient than the other. The basic principle is that if we need the information of allreachable states, then the first approach is a proper way, otherwise we choose thesecond approach.

48 Chapter 6. Conclusion

6.2 Future workProbabilistic Rectangular Automata with pure continuous-time probabil-ity distribution. Stochastic rectangular automata introduced in this paper has twoparts of probability distribution. The probability distribution over transitions is de-pendent on the weights of enabled transitions in a given time interval, which is stilldiscrete-time probability distribution. By adapting the probability distribution overtransitions to a continuous-time probability distribution, we would introduce a prob-abilistic Rectangular Automata with pure continuous-time probability distribution,which is more efficient to model the systems in our daily life.

Probabilistic Hybrid Automata with continuous-time probability dis-tribution. Rectangular automata is a subclass of hybrid automata. The labelingfunction of rectangular automata is restricted to rectangular regions. However, inoder to model a more complicated systems we need a more expressible model. In thefuture, we could extend the probabilistic rectangular automata first to probabilisticlinear hybrid automata and then to probabilistic general hybrid automata. In whichcase, the valuation of variables is not only dependent on time but also on the valueof variables.

Bibliography

[ACH+95] Rajeev Alur, Costas Courcoubetis, Nicolas Halbwachs, Thomas A Hen-zinger, Pei-Hsin Ho, Xavier Nicollin, Alfredo Olivero, Joseph Sifakis, andSergio Yovine. The algorithmic analysis of hybrid systems. Theoreticalcomputer science, 138(1):3–34, 1995.

[ACHH92] Rajeev Alur, Costas Courcoubetis, Thomas A Henzinger, and Pei-HsinHo. Hybrid automata: An algorithmic approach to the specification andverification of hybrid systems. In Hybrid systems, pages 209–229. Springer,1992.

[AD94] Rajeev Alur and David L Dill. A theory of timed automata. Theoreticalcomputer science, 126(2):183–235, 1994.

[BBB+14] Nathalie Bertrand, Patricia Bouyer, Thomas Brihaye, Quentin Menet,Christel Baier, Marcus Größer, and Marcin Jurdzinski. Stochastic timedautomata. arXiv preprint arXiv:1410.2128, 2014.

[BDG+11] Thomas Brihaye, Laurent Doyen, Gilles Geeraerts, Joël Ouaknine, Jean-François Raskin, and James Worrell. On reachability for hybrid automataover bounded time. In International Colloquium on Automata, Languages,and Programming, pages 416–427. Springer, 2011.

[BK02] Falko Bause and Pieter S Kritzinger. Stochastic petri nets, volume 1.Citeseer, 2002.

[BK08] Christel Baier and Joost-Pieter Katoen. Principles of model checking.MIT press, 2008.

[Bra05] Michael S. Branicky. Introduction to Hybrid Systems, pages 91–116.Birkhäuser Boston, Boston, MA, 2005.

[DLL+15] Alexandre David, Kim G Larsen, Axel Legay, Marius Mikučionis, andDanny Bøgsted Poulsen. Uppaal smc tutorial. International Journal onSoftware Tools for Technology Transfer, 17(4):397–415, 2015.

[HKPV98] Thomas A Henzinger, Peter W Kopke, Anuj Puri, and Pravin Varaiya.What’s decidable about hybrid automata? Journal of computer andsystem sciences, 57(1):94–124, 1998.

[HM00] Thomas A Henzinger and Rupak Majumdar. Symbolic model checkingfor rectangular hybrid systems. In International Conference on Tools and

50 Bibliography

Algorithms for the Construction and Analysis of Systems, pages 142–156.Springer, 2000.

[HMU01] John E Hopcroft, Rajeev Motwani, and Jeffrey D Ullman. Introduc-tion to automata theory, languages, and computation. Acm Sigact News,32(1):60–65, 2001.

[JELS99] Karl Henrik Johansson, Magnus Egerstedt, John Lygeros, and ShankarSastry. On the regularization of zeno hybrid automata. Systems & controlletters, 38(3):141–150, 1999.

[KNS02] Marta Kwiatkowska, Gethin Norman, and Jeremy Sproston. Probabilis-tic model checking of the ieee 802.11 wireless local area network proto-col. In Joint International Workshop von Process Algebra and Proba-bilistic Methods, Performance Modeling and Verification, pages 169–187.Springer, 2002.

[Kop96] Peter W Kopke. The theory of rectangular hybrid automata. Technicalreport, Cornell University, 1996.

[PDMV15] Pavithra Prabhakar, Parasara Sridhar Duggirala, Sayan Mitra, and Ma-hesh Viswanathan. Hybrid automata-based cegar for rectangular hybridsystems. Formal Methods in System Design, 46(2):105–134, 2015.

[SAMK17] Stefan Schupp, Erika Abraham, Ibtissem Ben Makhlouf, and StefanKowalewski. H y p ro: A c++ library of state set representations forhybrid systems reachability analysis. In NASA Formal Methods Sympo-sium, pages 288–294. Springer, 2017.

[SFÁ19] Stefan Schupp, Goran Frehse, and Erika Ábrahám. State set represen-tations and their usage in the reachability analysis of hybrid systems.Technical report, Fachgruppe Informatik, 2019.

[Spr11] Jeremy Sproston. Discrete-time verification and control for probabilisticrectangular hybrid automata. In 2011 Eighth International Conferenceon Quantitative Evaluation of SysTems, pages 79–88. IEEE, 2011.

[upp] Uppaal. https://uppaal.org.

https://uppaal.org

the present work was submitted to the lufg theory of

Documents